3 Proč používat Network Access Protection?Healthy computerPrivate NetworkOne of the most time-consuming challenges that administrators face is ensuring that computers that connect to private network assets are up to date and meet health policy requirements. This complex task is commonly referred to as maintaining computer health. Enforcing requirements is even more difficult when the computers, such as home computers or traveling laptops, are not under the administrator’s control. Yet failure to keep computers that connect to the network up to date is one of the most common ways to jeopardize the integrity of a network. For example, attackers create software that targets out-of-date computers. Users who do not update their home computers with the most recent antivirus signatures risk exposing private network assets to viruses. Administrators frequently lack the time or resources to ensure that all the software they would like to require is, in fact, installed and up to date. Additionally, administrators cannot easily manage or change requirements as often as they want.Network Access Protection for Windows Server 2008 and Windows Vista provides components and an application programming interface (API) set that help administrators enforce compliance with health policies for network access or communication. Developers and administrators can create solutions for validating computers that connect to their networks, can provide needed updates or access to needed resources (called health update resources), and can limit the access of noncompliant computers. The enforcement features of Network Access Protection can be integrated with software from other vendors or with custom programs. Administrators can customize the systems they develop and deploy, whether for monitoring the computers accessing the network for health policy compliance, automatically updating computers with software updates to meet health policy requirements, or limiting the access of computers that do not meet health policy requirements to a restricted network.Network Access Protection is not designed to secure a network from malicious users. It is designed to help administrators maintain the health of the computers on the network, which in turns helps maintain the network’s overall integrity. For example, if a computer has all the software and configurations that the health policy requires, the computer is considered compliant, and it will be granted the appropriate access to the network. Network Access Protection does not prevent an authorized user with a compliant computer from uploading a malicious program to the network or engaging in other inappropriate behavior.Unhealthy computer

4 Scenario 1: Notebooky vašich zaměstnancůNAPNetwork Access Protection is designed to be flexible. It can interoperate with any vendor’s software that provides SHAs and SHVs or that recognizes its published API set. Network Access Protection helps provide a solution for the four common scenarios.The first scenario involves checking the health and status of roaming laptops. Portability and flexibility are two primary advantages of laptops, but these features also present a health threat. Company laptops frequently leave and return to the company network. While laptops are away from the company, they might not receive the most recent software updates or configuration changes. Laptops might also be infected while exposed to unsecured networks, such as the Internet. By using Network Access Protection, network administrators can check the health of any laptop when it reconnects to the company network, whether by creating a VPN connection back to the company network or by physically returning to the office.4

5 Scenario 2: Pracovní stanice v lokální sítiAlthough desktop computers do not usually leave the premises, they still can present a health threat to a network. To minimize this threat, administrators must maintain these computers with the most recent updates and software the company wants to require. Otherwise, those computers are at higher risk of infection from Web sites, , files from shared folders, and other publicly accessible resources. By using Network Access Protection, network administrators can automate system checks to verify each desktop computer’s compliance with the health policies. Administrators can check log files to review what computers do not comply. With the addition of management software, automatic reports can be generated, updates can be made automatically to noncompliant computers, and when administrators change health policies, computers can be automatically provided with the most recent updates.Network Policy Server5

6 Scenario 3: Notebooky návštěv, zákazníků, ...Organizations frequently need to allow consultants and guests access to their private networks. The laptops that these visitors bring might not meet network requirements and can present health risks. By using Network Access Protection, administrators can determine that the visiting laptops are not authorized to access the network and limit their access to a restricted network. Generally, administrators would not require or provide any updates or configuration changes to the visiting laptops. The administrator might configure Internet access for visiting laptops in the restricted network, but not for other computers whose access is limited.Network Policy Server6

7 Scenario 4: Nespravované domácí počítačeUnmanaged home computers provide an additional challenge to network administrators because they do not have physical access to these computers. Lack of physical access makes enforcing compliance with network requirements (such as the use of antivirus software) even more difficult. Verifying the health of these computers is similarly challenging. By using Network Access Protection, network administrators can check for required programs, registry settings, files, or combinations of these every time a home computer makes a VPN connection to the network, and they can limit the connection to a restricted network until system health requirements are met.Depending on their needs, administrators can configure a solution to address any or all of these scenarios for their networks.7

8 Komponenty NAPOne of the most time-consuming challenges that administrators face is ensuring that computers that connect to private network assets are up to date and meet health policy requirements. This complex task is commonly referred to as maintaining computer health. Enforcing requirements is even more difficult when the computers, such as home computers or traveling laptops, are not under the administrator’s control. Yet failure to keep computers that connect to the network up to date is one of the most common ways to jeopardize the integrity of a network. For example, attackers create software that targets out-of-date computers. Users who do not update their home computers with the most recent antivirus signatures risk exposing private network assets to viruses. Administrators frequently lack the time or resources to ensure that all the software they would like to require is, in fact, installed and up to date. Additionally, administrators cannot easily manage or change requirements as often as they want.Network Access Protection for Windows Server 2008 and Windows Vista provides components and an application programming interface (API) set that help administrators enforce compliance with health policies for network access or communication. Developers and administrators can create solutions for validating computers that connect to their networks, can provide needed updates or access to needed resources (called health update resources), and can limit the access of noncompliant computers. The enforcement features of Network Access Protection can be integrated with software from other vendors or with custom programs. Administrators can customize the systems they develop and deploy, whether for monitoring the computers accessing the network for health policy compliance, automatically updating computers with software updates to meet health policy requirements, or limiting the access of computers that do not meet health policy requirements to a restricted network.Network Access Protection is not designed to secure a network from malicious users. It is designed to help administrators maintain the health of the computers on the network, which in turns helps maintain the network’s overall integrity. For example, if a computer has all the software and configurations that the health policy requires, the computer is considered compliant, and it will be granted the appropriate access to the network. Network Access Protection does not prevent an authorized user with a compliant computer from uploading a malicious program to the network or engaging in other inappropriate behavior.

9 Komunikace v NAPOne of the most time-consuming challenges that administrators face is ensuring that computers that connect to private network assets are up to date and meet health policy requirements. This complex task is commonly referred to as maintaining computer health. Enforcing requirements is even more difficult when the computers, such as home computers or traveling laptops, are not under the administrator’s control. Yet failure to keep computers that connect to the network up to date is one of the most common ways to jeopardize the integrity of a network. For example, attackers create software that targets out-of-date computers. Users who do not update their home computers with the most recent antivirus signatures risk exposing private network assets to viruses. Administrators frequently lack the time or resources to ensure that all the software they would like to require is, in fact, installed and up to date. Additionally, administrators cannot easily manage or change requirements as often as they want.Network Access Protection for Windows Server 2008 and Windows Vista provides components and an application programming interface (API) set that help administrators enforce compliance with health policies for network access or communication. Developers and administrators can create solutions for validating computers that connect to their networks, can provide needed updates or access to needed resources (called health update resources), and can limit the access of noncompliant computers. The enforcement features of Network Access Protection can be integrated with software from other vendors or with custom programs. Administrators can customize the systems they develop and deploy, whether for monitoring the computers accessing the network for health policy compliance, automatically updating computers with software updates to meet health policy requirements, or limiting the access of computers that do not meet health policy requirements to a restricted network.Network Access Protection is not designed to secure a network from malicious users. It is designed to help administrators maintain the health of the computers on the network, which in turns helps maintain the network’s overall integrity. For example, if a computer has all the software and configurations that the health policy requires, the computer is considered compliant, and it will be granted the appropriate access to the network. Network Access Protection does not prevent an authorized user with a compliant computer from uploading a malicious program to the network or engaging in other inappropriate behavior.

10 Komponenty Network Protection ServicesNetwork Policy Server (NPS)Network Access Protection (NAP) Policy ServerIEEE WirelessIEEE WiredRADIUS ServerRADIUS ProxyRouting and Remote AccessRemote Access ServiceRoutingHealth Registration Authority (HRA)When Network Policy and Access Services is installed, several role services are available. Network Policy Server (NPS) is the Microsoft implementation of a RADIUS server and proxy. NPS can be used to centrally manage network access through a variety of network access servers, including wireless access points, virtual private networking (VPN) servers, dial-up servers, and 802.1X authenticating switches. In addition, NPS can be used to deploy secure password authentication with Protected Extensible Authentication Protocol (PEAP)-MS-CHAP v2 for wireless connections. NPS also contains key components for deploying NAP on a network.[BUILD1]After installation of the NPS role service, the following technologies can be deployed. The first is Network Access Protection (NAP) policy server. When you configure NPS as a NAP policy server, NPS evaluates statements of health (SoH) sent by NAP-capable client computers that want to connect to the network.[BUILD2]Using the Network Policy Server (NPS) MMC snap-in, an administrator can configure 802.1X-based connection request policies for IEEE wireless client network access and for IEEE wired client Ethernet network access.[BUILD3]NPS performs centralized connection authentication, authorization, and accounting for wireless, authenticating switch, and remote access dial-up and VPN connections. When you use NPS as a RADIUS server, you configure network access servers, such as wireless access points and VPN servers, as RADIUS clients in NPS. RADIUS is an acronym for Remote Authentication Dial In User Service. RADIUS defines a popular standard used for maintaining and managing remote user authentication and validation.[BUILD4]When NPS is used as a RADIUS proxy, connection request policies can be configured that tell the NPS server which connection requests to forward to other RADIUS servers and to which RADIUS servers you want to forward connection requests.[BUILD5]With Routing and Remote Access, an organization can deploy VPN and dial-up remote access services and multiprotocol LAN-to-LAN, LAN-to-WAN, VPN, and network address translation (NAT) routing services. Using Routing and Remote Access, you can deploy Point-to-Point Tunneling Protocol (PPTP) or Layer Two Tunneling Protocol (L2TP) with Internet Protocol security (IPsec) VPN connections to provide end users with remote access to your organization's network. Remote Access also provides traditional dial-up remote access to support mobile users or home users who are dialing in to an organization's intranets. Dial-up equipment that is installed on the server running Routing and Remote Access answers incoming connection requests from dial-up networking clients. The remote access server answers the call, authenticates and authorizes the caller, and transfers data between the dial-up networking client and the organization intranet.Routing provides a full-featured software router and an open platform for routing and internetworking. It offers routing services to businesses in local area network (LAN) and wide area network (WAN) environments.[BUILD6]Health Registration Authority (HRA) is a NAP component that issues health certificates to clients that pass the health policy verification that is performed by NPS using the client SoH. HRA is used only when the NAP enforcement method is IPsec enforcement.

11 NAP Architektura System Health Remediation Servers Servers ClientUpdatesHealth policyNetworkAccessRequestsClientHealthStatementsMS NetworkPolicy ServerSystem Health Agent (SHA)MS and 3rd PartiesHealthCertificateSystem Health ValidatorQuarantine Agent (QA)Enforcement Client (EC)(DHCP, IPSec, 802.1X, VPN)Network Access Devicesand ServersQuarantine Server (QS)The NAP architecture reveals an integrated environment to ensure the health of a system.[BUILD1] The client environment includes System Health Agent (SHA), a Quarantine Agent (QA) and an Enforcement Client (EC).The System Health Agent checks the state of a client and declares its health (update state, virus signature, system configuration, etc.). The Quarantine Agent (QA) coordinates the SHA and the EC. The Quarantine Agent is cross platform.[BUILD2] Each SHA is defined for a system health requirement or a set of system health requirements. For example, there might be an SHA for antivirus signatures and an SHA for operating system updates. A specific SHA might be matched to a remediation server. For example, an SHA for checking antivirus signatures is matched to the server that contains the latest antivirus signature file. SHAs do not have to have a corresponding remediation server. For example, an SHA can just check local system settings to ensure that a host-based firewall is enabled. Windows Vista and Windows Server 2008 include a Windows Security Health Validator SHA. Third-party software vendors or Microsoft can provide additional SHAs to the Network Access Protection platform.[BUILD3] The Enforcement Client handles the method of enforcement. Each NAP EC is defined for a different type of network access or communication. For example, there is a NAP EC for DHCP configuration and a NAP EC for VPN connections. The NAP EC is typically matched to a specific type of NAP server. For example, the DHCP NAP EC is designed to work with a DHCP-based NAP server. Some NAP ECs are provided with the NAP platform and third-party software vendors can provide others[BUILD4] The Remediation Server installs necessary updates, configurations, applications and brings clients to healthy state. Once a client is in restriction, it is given routes to the remediation server.[BUILD5] The Network Access Device and Server have the intelligence to grant or deny a client access to the network. This could be a firewall or an appliance.[BUILD6] System Health Server provides client compliance policies by defining health requirements for system components on client.[BUILD7] The Network Policy Server (NPS) includes the Quarantine Server and the System Health Validator. The Quarantine Server (QS) sits on Microsoft IAS Policy Server. Internet Authentication Service (IAS) is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy. As a RADIUS server, IAS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless and virtual private network (VPN) connections. As a RADIUS proxy, IAS forwards authentication and accounting messages to other RADIUS servers. The QS coordinates the System Health Validators (SHV). System Health Validators certify declarations made by health agents.11

12 Network Layer Protection s NAPRestricted NetworkRemediationServersSystem HealthServersHere you go.Can I have updates?Ongoing policy updates to Network Policy ServerMay I have access?Here’s my currenthealth status.Requesting access. Here’s my newhealth status.Should this client be restricted basedon its health?This scenario will examine how Network Access Protection works with DHCP/VPN.[BUILD1] Health policy is set by the IT administrator. It is asynchronously plumbed by the system health servers to the IAS policy server. The IAS policy server keeps a health cache at any given time.[BUILD2] The client requests network access, and forwards its statement of health (SoH).[BUILD3] The Network Access Device sends this information to the IAS policy server.[BUILD4] IAS compares it to what’s in cache and if the SoH doesn’t meet health policy, the IAS policy server notifies the Network Access Device to restrict the client – it could be put in a VLAN or separate subnet. The IAS policy server also informs the NAD what the client needs to become healthy.[BUILD5] The NAP system information passed to the client by the NAP systems tells it how to access the fix-up servers.[BUILD6] The client contacts the remediation server and requests update.[BUILD7] The Remediation Server provides the client with the necessary updates so it will pass the required system health policies.[BUILD8] The client returns to the Network Access Device with an updated SoH.[BUILD9] The Network Access Device sends this information to the IAS policy server.[BUILD10] This time it matches policy so the client gains full access to network resources. The SoH is re-used to continue to access network resources until the policy is updated.According to policy, the client is not up to date. Quarantine client, request it to update.MS NPSClientAccording to policy, the client is up to date.Grant access.You are given restricted accessuntil fix-up.802.1xSwitchClient is granted access tofull intranet.12

13 NAP – Enforcement OptionsUnhealthy ClientHealthy ClientEnforcementRestricted set of routesFull IP address given, full accessDHCPRestricted VLANFull accessVPNRestricted VLANFull access802.1XHealthy peers reject connection requests from unhealthy systemsCan communicate with any trusted peerComplements layer 2 protectionWorks with existing servers and infrastructureOffers flexible isolationIPsecEnforcement works virtually the same whether you are using DHCP, VPN, 802.1X, or IPsec: healthy clients are given full access and unhealthy clients are restricted.Administrators can configure Dynamic Host Configuration Protocol (DHCP) Enforcement, virtual private network (VPN) Enforcement, IEEE 802.1X Enforcement, Internet Protocol security (IPsec) Enforcement, or all four, depending on their network needs.Network Access Protection provides an infrastructure and an API set for extending Network Access Protection functionality. Vendors and software developers can use the API set to build their own network policy validation, ongoing network policy compliance, and network isolation components that are compatible with Network Access Protection. Network Access Protection allows for customer choice by providing options beyond just DHCP and VPN enforcement. Some extra benefits of IPsec-based enforcement include the ability to isolate unhealthy clients. In addition, secure enforcement cannot be bypassed by a reconfiguring client or by use of hubs and virtual PC technology. With IPsec, infrastructure upgrade aren’t necessary, because it works with today’s switches and routers. IPsec also offers flexible isolation: healthy systems can connect to quarantined systems but not vice versa, and the isolation model defined by policyMicrosoft recommends that organizations use the enforcement mechanisms in combination. Each customer is different and will need to assess many factors, such as risk, business models, health policies and management, access scenarios, infrastructure investments, and upgrade schedule, among other things. NAP empowers the customer to make a selection based on the unique circumstances of a customer’s environment without compromising on the need for a strong, multi-layered network security and access policy management solution.13

14 Host Layer Protection s NAPAccessing the networkXRemediation ServerNPSHRAClientNo PolicyAuthenticationOptionalRequiredNo PolicyAuthenticationOptionalAuthenticationRequiredMay I have a health certificate? Here’s my SoH.Client ok?No. Needs fix-up.Yes. Issuehealth certificate.You don’t get a health certificate.Go fix up.Here’s your health certificate.HRAXClientI need updates.Accessing the networkHere you go.Here is an example of host layer protection in which a client tries to access the network.[BUILD1]The first attempt by the client is denied.[BUILD2]The Client asks for a health certificate, but it is initially denied until it gets “fixed up,” according to the policy.[BUILD3]The Client is “updated” by the Remediation Server.[BUILD4]After the client gets its health certificate, it is finally allowed in.NPSRemediation Server14

15 IPsec enforcement Secure network IPsec Authenticated Boundary networkIP Security (IPsec) Enforcement divides a physical network into three logical networks. A computer is a member of only one logical network at any time. The logical networks are defined in terms of which computers have health certificates and which computers require IPsec authentication with health certificates for incoming communication attempts. The logical networks allow for limited network access and remediation and provide compliant computers with a level of protection from noncompliant computers.IPsec Enforcement defines the following logical networks:[BUILD1]Secure networks are the set of computers that have health certificates and require that incoming communication attempts use health certificates for IPsec authentication. On a managed network, most server and client computers that are members of the Active Directory domain would be in the secure network.[BUILD2]Boundary networks are the set of computers that have health certificates but do not require that incoming communication attempts use health certificates for IPsec authentication. Computers in the boundary network must be accessible to computers on the entire network.[BUILD3]Restricted networks are the set of computers that do not have health certificates that include noncompliant NAP client computers, guests on the network, or computers that are not NAP-capable.[BUILD4]Computers in the secure network can initiate communications with computers in all three logical networks. Communications initiated to computers in the secure network or boundary network are authenticated with IPsec and health certificates. Communications initiated to computers in the restricted network are not authenticated with IPsec.Computers in the secure network will accept communications initiated from computers in the secure and boundary networks that are authenticated with IPsec, but will not accept communications initiated from computers in the restricted network.[BUILD5]Computers in the boundary network can initiate communications with computers in the secure or boundary networks that are authenticated with IPsec and health certificates or with computers in the restricted network that are not authenticated with IPsec. Computers in the boundary network will accept communications initiated from computers in the secure and boundary networks that are authenticated with IPsec and health certificates and from computers in the restricted network that are not authenticated with IPsec.Members of the boundary network will typically only consist of the HCS and NAP remediation servers. Servers in the boundary network must be accessible from noncompliant NAP clients in the restricted network (to perform initial remediation functions and obtain health certificates) and from compliant computers in the secure network (to perform ongoing remediation functions, renew health certificates, and to manage the computers in the boundary network).A computer is member of the secure or boundary network for the time specified in the validity period of the health certificate. Before the health certificate expires, the IPsec-based NAP client contacts the HCS to obtain a new health certificate. The validity time period can be configured on the HCS.[BUILD6]Computers in the restricted network can initiate communications with computers in the restricted and boundary networks. Computers in the restricted network cannot initiate communications to computers in the secure network (unless specifically allowed through the IPsec policy settings of the computers in the secure network). Computers in the restricted network will accept communications initiated from computers in all three logical networks.IPsec AuthenticatedUnauthenticatedBoundary networkRestricted network15

16 NAP s DHCP IEEE 802.1X I need to Lease an IP address DevicesRequesting access.Here’s my new health status.ClientDHCP ServerNPS ServerNetwork Access Protection can be used with DHCP to enforce health policies, which can help protect a network against the spread of viruses, worms, and malicious software (malware).[BUILD1] NAP enforces health policies for the following network access technologies: DHCP address configuration, network connections based on VPN, and communication based on Internet Protocol security (IPsec). NAP also provides a suite of APIs that allow companies other than Microsoft to integrate their software into the NAP platform. By using the NAP APIs, software vendors can provide end-to-end solutions that validate health and remediate unhealthy clients.[BUILD2] DHCP Enforcement comprises a DHCP NAP ES component and a DHCP NAP EC component. Using DHCP Enforcement, DHCP servers can enforce health policy requirements any time a computer attempts to lease or renew an IP address configuration on the network. DHCP Enforcement is the easiest enforcement to deploy because all DHCP client computers must lease IP addresses. Because DHCP Enforcement relies on entries in the IP routing table, it is the weakest form of limited network access in Network Access Protection.[BUILD3] The DHCP Server service on a computer running Windows Server 2008 provides automatic IP address configuration to intranet clients.[BUILD4] Between a NAP client and a DHCP server the NAP client acting as a DHCP client uses DHCP messages to obtain a valid IPv4 address configuration and to indicate its current system health state. The NAP server uses DHCP messages to allocate either an IPv4 address configuration for the restricted network and indicate remediation instructions (if the DHCP client is noncompliant), or an IPv4 address configuration for unlimited access (if the DHCP client is compliant).You are not within the Health Policy requirementsThe client requests and receives updatesRemediationServersVPN ServerAccess Granted. Here is your new IP Address16

18 NAP s RRAS (VPN) RADIUS Messages PEAP Messages Client NPS ServerVPN ServerRouting and Remote Access on a computer running Windows Server 2008 allows VPN-based remote access connections to an intranet.[BUILD1]The VPN NAP Enforcement Server (ES) for VPN connections is new functionality in Routing and Remote Access that uses Extensible Authentication Protocol (EAP)-RADIUS (the encapsulation of EAP messages inside RADIUS messages) to pass system health messages using PEAP-TLV between NAP clients and the NPS server. VPN Enforcement is done through IP packet filtering. The VPN NAP ES on the VPN server (a component of Routing and Remote Access) sends an EAP-Request/Identity message to the VPN NAP EC on the VPN client. The VPN NAP EC is new functionality in the Remote Access Connection Manager service that obtains the list of SoHs from the NAP Agent and sends the list of SoHs as a PEAP-Type-Length-Value (TLV) message. Alternately, the VPN NAP EC can send a health certificate in a PEAP-TLV message.RemediationServers18